Krebs on Security

In-depth security news and investigation

Adobe, Microsoft Push Critical Security Fixes

It’s Patch Tuesday, again. That is, if you run Microsoft Windows or Adobe products. Microsoft issued a dozen patch bundles to fix at least 54 security flaws in Windows and associated software. Separately, Adobe’s got a new version of its Flash Player available that addresses at least three vulnerabilities.

The updates from Microsoft concern many of the usual program groups that seem to need monthly security fixes, including Windows, Internet Explorer, Edge, Office, .NET Framework and Exchange.

According to security firm Qualys, the Windows update that is most urgent for enterprises tackles a critical bug in the Windows Search Service that could be exploited remotely via the SMB file-sharing service built into both Windows workstations and servers.

“While this vulnerability can leverage SMB as an attack vector, this is not a vulnerability in SMB itself, and is not related to the recent SMB vulnerabilities leveraged by EternalBlue, WannaCry, and Petya.” Qualys notes, referring to the recent rash of ransomware attacks which leveraged similar vulnerabilities.

Other critical fixes of note in this month’s release from Microsoft include at least three vulnerabilities in Microsoft’s built-in browser — Edge or Internet Explorer depending on your version of Windows. There are at least three serious flaws in these browsers that were publicly detailed prior to today’s release, suggesting that malicious hackers may have had some advance notice on figuring out how to exploit these weaknesses.

As it is accustomed to doing on Microsoft’s Patch Tuesday, Adobe released a new version of its Flash Player browser plugin that addresses a trio of flaws in that program.

The latest update brings Flash to v. 26.0.0.137 for Windows, Mac and Linux users alike. If you have Flash installed, you should update, hobble or remove Flash as soon as possible. To see which version of Flash your browser may have installed, check out this page.

The smartest option is probably to ditch the program once and for all and significantly increase the security of your system in the process. An extremely powerful and buggy program that binds itself to the browser, Flash is a favorite target of attackers and malware. For some ideas about how to hobble or do without Flash (as well as slightly less radical solutions) check out A Month Without Adobe Flash Player.

If you choose to keep Flash, please update it today. The most recent versions of Flash should be available from the Flash home page. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

Chrome and IE should auto-install the latest Flash version on browser restart (users may need to manually check for updates in and/or restart the browser to get the latest Flash version). A green arrow in the upper right corner of my Chrome installation today gave me the prompt I needed to update my version to the latest.

Chrome users may need to restart the browser to install or automatically download the latest version. When in doubt, click the vertical three dot icon to the right of the URL bar, select “Help,” then “About Chrome”: If there is an update available, Chrome should install it then.

As always, if you experience any issues downloading or installing any of these updates, please leave a note about it in the comments below.

1, The link above for the former “Flash Player version tracker” [http://www.adobe.com/software/flash/about/] no longer tells you which version has been installed on your system. It lists the latest versions for various operating systems but doesn’t say which one is installed.

2, On my Macintosh, I updated (as I usually do) using the Flash Player control panel under “System Preferences”. After completing the update, I found that the update had changed some of my preferences to less secure options, without notifying me or asking my permission. Namely, “Block all sites from using the camera and microphone” was changed to “Ask me when a site wants to use the camera or microphone”; and “Block all sites from using peer-assisted networking” was changed to “Ask me when a site wants to use peer-assisted networking”. Readers of this blog should be aware that you may have to go back and manually reset those preferences to the more secure options.

In addition, following Brian’s advice, I set my browser preferences to block all sites from using Flash, other than a very few highly trusted websites that I have approved in advance.

That’s true… at first. But after you click the “Check Now” button, and the short version info is displayed, look above the info for a gray box that may or may not have the “click to activate Flash” icon, and click that. Then the full version will appear below.

While Chrome, Opera, and Firefox are now updated to Flash 26.0.0.137 for me, on Windows 10 Home x64 Both Edge and IE11 still show Flash at 26.00.120 . Apparently Microsoft did not update EDGE and IE11 today.

I also updated Adobe Acrobat Reader DC today to 2017.009.20058 for those using that product.

The best thing about flash player is that I can play online games (flash games). But alas it’s not secure so I have completely uninstalled it, sometimes I miss those games, but hey! I miss a lot of other things too, missing one more thing is not so difficult! 😛

I suggest game programmers to please start using javascript with webgl and canvas etc. They can create awesome games in javascript too, and transporting flash stuff into javascript should not be that difficult if they have the source code.

The recent security update for Adobe, distributed by and with the Windows 10 update made my Firefox Browser crash on start. After one hour searching for solutions, I removed the update manually and now Firefox is starting again (Flash was the most recent version).
Microsoft just installs updates with a restart or shutdown. I even have no choice here. Do I need to uninstall the same corrupt update again and again until it’s finally fixed?
I don’t trust Microsoft anymore. They ‘force’ too much, install many unwanted programs and almost every recent update caused problems. I hope for a strong comparing company that will give us a Windows compatible alternate platform. And yes, Flash being fully replaced with HTML video and the like would be welcome. I had NEVER another software that needed so many updates as this one. Just bad!

Essentially what the bottom of the page means is this.
“When all else fails, here’s a simple, straightforward link to download a plain, full installer, instead of downloading a tiny program after selecting an option for extra stuff or not, and the tiny program downloading the installer in parts. We apologize that we use such a convoluted method.”

I’m checking for problems reported after installing Windows update (automatically). I’ve not seen this reported: Was unable to use Edge to get to internet last night. Only able to get through to Gmail. May have been cable modem problem discovered afterwards. Did shutdown and then restart. Finally able to connect to Facebook but not everything back to normal. It took a couple of shutdowns AND restarts last night and this morning before completely getting back to normal. Seems odd that I lost access to Edge browser temporarily. Oh yeah, Flash was updated to 26.0.0.137 Were problems with Edge just me?

Ugh another Patch Tuesday. That means another period of hours when the computer is unusable. Why does updating Windows 10 take so damn long?

Linux Mint never takes more than ten minutes or so to update, even if I don’t let it update for weeks on end. Windows 10 takes forever in comparison and I really can’t control when it happens, which a Disaster when I’m on the road with a laptop and a slow very expensive connection (I live mostly in developing countries, like the other 90% of the people in the World).

In fact, updating Windows 10 is so painful, I’ve stopped using Win10 mostly these days and boot into Linux instead. It’s at the point where the only time I boot Windows anymore is when I’m forced to by a particular Windows-only application, or when it’s time to do attempt the Dreaded Windows Update.

dear sir.mir fellow Krebs.
at the end of this year you should
make like TOP 3 Frauds;scams or etc. Like to read about wich is most badly like wich one done the most damage?
And also you should make list of who got the longest jail time?
Im sure the blog readers would love that stuff to read about it.
i always drink beer and smoke some sigarerets the time i read your blog keep doing what you doing. Im sure even fellow crooks fraudsters have big respect on you !!

After installing latest Windows 10 updates, all of my internet browsers crash. It will not allow me to uninstall any updates or roll back to the previous version. Edge, Chrome, Explorer and Firefox are all useless now. Any ideas on how to fix this?

Uninstall your Antivirus (likely you use Comodo). Then reinstall the newest version. Solved it in my case. Recent Windows updates are not compatible with third party Antivirus programs (see https://support.mozilla.org/en-US/questions/1167444). Another strategy to get people to use THEIR stuff? Windows updates should be checked for compatibility with common third party programs!

Last month’s MS updates wiped out synchronisation of Outlook 2007 calendars and contacts to Apple devices through iCloud with no resolution from either MS or Apple on the horizon without reintroducing the vulnerability that the update sought to address.
Now today’s release has resulted in not being able to connect to the internet at all.
There isn’t even a setting on Windows 10 Home to prevent automatic installation of Windows updates.
Surely the time has come for authorities to take action against MS? Brian Krebs are you up for a challenge?

This morning I successfully installed the NET Framework update, but when I go to try for the second one (Cumulative Update for Windows 10 Version 1607 for x64-based Systems (KB4015438)) Windows tells me that my system is up to date.